Splitter dekryptering/dekomprimering og annen validering

navikt · Nov 29, 2024 · b1d5a13 · b1d5a13
1 parent 51d8f47
commit b1d5a13
Show file tree

Hide file tree

Showing 2 changed files with 88 additions and 112 deletions.
diff --git a/ebms-payload/src/main/kotlin/no/nav/emottak/payload/Processor.kt b/ebms-payload/src/main/kotlin/no/nav/emottak/payload/Processor.kt
@@ -1,10 +1,8 @@
 package no.nav.emottak.payload
 
 import no.nav.emottak.crypto.KeyStore
-import no.nav.emottak.message.model.Direction
 import no.nav.emottak.message.model.Payload
 import no.nav.emottak.message.model.PayloadRequest
-import no.nav.emottak.message.model.PayloadResponse
 import no.nav.emottak.payload.crypto.Dekryptering
 import no.nav.emottak.payload.crypto.Kryptering
 import no.nav.emottak.payload.crypto.PayloadSignering
@@ -30,74 +28,51 @@ class Processor(
     private val juridiskLogging: JuridiskLoggService = JuridiskLoggService()
 ) {
 
-    suspend fun process(payloadRequest: PayloadRequest): PayloadResponse {
-        val processedPayload = when (payloadRequest.direction) {
-            Direction.IN -> processIncoming(payloadRequest)
-            Direction.OUT -> processOutgoing(payloadRequest)
-            else -> throw RuntimeException("Direction can be either IN or Out")
+    suspend fun loggMessageToJuridiskLogg(payloadRequest: PayloadRequest) {
+        try {
+            if (payloadRequest.processing.processConfig.juridiskLogg) {
+                log.debug(payloadRequest.marker(), "Sender forespørsel til juridisk logg")
+                juridiskLogging.logge(payloadRequest)
+            }
+        } catch (e: Exception) {
+            log.error(payloadRequest.marker(), "Feil med å lage forespørsel til juridisk logg", e)
+            throw e
         }
-        return PayloadResponse(
-            processedPayload
-        )
     }
 
-    fun getDecryptedAndDecompressedBytes(bytes: ByteArray, encrypted: Boolean, compressed: Boolean): ByteArray {
-        return bytes.let {
-            if (encrypted) {
-                dekryptering.dekrypter(bytes, isBase64 = false)
-            } else {
-                it
-            }
-        }.let {
-            if (compressed) {
-                gZipUtil.uncompress(bytes)
-            } else {
-                it
+    fun convertToReadablePayload(payload: Payload, encrypted: Boolean, compressed: Boolean): Payload {
+        return payload.copy(
+            bytes = payload.bytes.let {
+                when (encrypted) {
+                    true -> dekryptering.dekrypter(it, false)
+                    false -> it
+                }
+            }.let {
+                when (compressed) {
+                    true -> gZipUtil.uncompress(it)
+                    false -> it
+                }
             }
-        }
+        )
     }
 
-    private suspend fun processIncoming(payloadRequest: PayloadRequest): Payload {
-        val processConfig = payloadRequest.processing.processConfig
-
-        loggMessageToJuridiskLogg(payloadRequest)
-
-        return payloadRequest.payload.let {
-            when (processConfig.kryptering) {
-                true -> dekryptering.dekrypter(it.bytes, false).also { log.info(payloadRequest.marker(), "Payload dekryptert") }
-                false -> it.bytes
-            }
-        }.let {
-            when (processConfig.komprimering) {
-                true -> gZipUtil.uncompress(it).also { log.info(payloadRequest.marker(), "Payload dekomprimert") }
-                false -> it
-            }
-        }.let {
-            if (processConfig.signering) {
-                signatureVerifisering.validate(it)
-                log.info(payloadRequest.marker(), "Payload signatur verifisert")
-            }
-            it
-        }.let {
-            payloadRequest.payload.copy(bytes = it)
-        }.let {
-            if (processConfig.ocspSjekk) {
-                val dom = createDocument(ByteArrayInputStream(it.bytes))
-                val signature = dom.retrieveSignatureElement()
-                val certificateFromSignature = signature.keyInfo.x509Certificate
-                val signedBy = OcspStatusService(defaultHttpClient().invoke(), KeyStore(payloadSigneringConfig()), KeyStore(trustStoreConfig())).getOCSPStatus(certificateFromSignature).fnr
-                it.copy(signedBy = signedBy)
-            } else {
-                it
-            }
+    suspend fun validateReadablePayload(payload: Payload, validateSignature: Boolean, validateOcsp: Boolean): Payload {
+        if (validateSignature) {
+            signatureVerifisering.validate(payload.bytes)
+        }
+        return if (validateOcsp) {
+            val dom = createDocument(ByteArrayInputStream(payload.bytes))
+            val xmlSignature = dom.retrieveSignatureElement()
+            val certificateFromSignature = xmlSignature.keyInfo.x509Certificate
+            val signedBy = OcspStatusService(defaultHttpClient().invoke(), KeyStore(payloadSigneringConfig()), KeyStore(trustStoreConfig())).getOCSPStatus(certificateFromSignature).fnr
+            payload.copy(signedBy = signedBy)
+        } else {
+            payload
         }
     }
 
-    private suspend fun processOutgoing(payloadRequest: PayloadRequest): Payload {
+    fun processOutgoing(payloadRequest: PayloadRequest): Payload {
         val processConfig = payloadRequest.processing.processConfig
-
-        loggMessageToJuridiskLogg(payloadRequest)
-
         return payloadRequest.payload.let {
             when (processConfig.signering) {
                 true -> {
@@ -123,16 +98,4 @@ class Processor(
             }
         }
     }
-
-    private suspend fun loggMessageToJuridiskLogg(payloadRequest: PayloadRequest) {
-        try {
-            if (payloadRequest.processing.processConfig.juridiskLogg) {
-                log.debug(payloadRequest.marker(), "Sender forespørsel til juridisk logg")
-                juridiskLogging.logge(payloadRequest)
-            }
-        } catch (e: Exception) {
-            log.error(payloadRequest.marker(), "Feil med å lage forespørsel til juridisk logg", e)
-            throw e
-        }
-    }
 }
diff --git a/ebms-payload/src/main/kotlin/no/nav/emottak/payload/Routes.kt b/ebms-payload/src/main/kotlin/no/nav/emottak/payload/Routes.kt
@@ -19,7 +19,6 @@ import no.nav.emottak.message.model.Feil
 import no.nav.emottak.message.model.Payload
 import no.nav.emottak.message.model.PayloadRequest
 import no.nav.emottak.message.model.PayloadResponse
-import no.nav.emottak.payload.crypto.DecryptionException
 import no.nav.emottak.payload.util.marshal
 import no.nav.emottak.payload.util.unmarshal
 import no.nav.emottak.util.marker
@@ -30,51 +29,65 @@ fun Route.postPayload() = post("/payload") {
     log.debug(request.marker(), "Payload mottatt for prosessering med steg: {}", request.processing.processConfig)
 
     runCatching {
-        processor.process(request)
-    }.onSuccess {
-        log.info(request.marker(), "Payload prosessert OK <${request.payload.contentId}>")
-        call.respond(it)
-    }.onFailure { originalError ->
-        log.error(request.marker(), "Payload prosessert med feil ${originalError.localizedMessage}", originalError)
-        val apprecResponse = request.processing.processConfig.apprec &&
-            originalError !is DecryptionException &&
-            request.direction == Direction.IN
-
-        runCatching {
-            when (apprecResponse) {
-                true -> {
-                    log.info(request.marker(), "Oppretter negativ AppRec for payload <${request.payload.contentId}>")
-                    val msgHead = unmarshal(
-                        processor.getDecryptedAndDecompressedBytes(
-                            request.payload.bytes,
-                            request.processing.processConfig.kryptering,
-                            request.processing.processConfig.komprimering
-                        ),
-                        MsgHead::class.java
+        val processConfig = request.processing.processConfig
+        if (processConfig.juridiskLogg) {
+            processor.loggMessageToJuridiskLogg(request)
+        }
+        when (request.direction) {
+            Direction.IN -> {
+                val readablePayload = processor.convertToReadablePayload(request.payload, processConfig.kryptering, processConfig.komprimering).also {
+                    if (processConfig.kryptering) log.info(request.marker(), "Payload dekryptert")
+                    if (processConfig.komprimering) log.info(request.marker(), "Payload dekomprimert")
+                }
+                try {
+                    PayloadResponse(
+                        processedPayload = processor.validateReadablePayload(readablePayload, processConfig.signering, processConfig.ocspSjekk).also {
+                            if (processConfig.signering) log.info(request.marker(), "Payload signatur verifisert")
+                            if (processConfig.ocspSjekk) log.info(request.marker(), "Payload signatur ocsp sjekket")
+                        }
+                    )
+                } catch (e: Exception) {
+                    log.error(request.marker(), "Feil ved validering av payload", e)
+                    val errorPayload: Payload? = runCatching {
+                        when (processConfig.apprec) {
+                            true -> {
+                                log.info(request.marker(), "Oppretter negativ AppRec for payload <${request.payload.contentId}>")
+                                Payload(
+                                    marshal(
+                                        createNegativeApprec(unmarshal(readablePayload.bytes, MsgHead::class.java), e)
+                                    ).toByteArray(),
+                                    ContentType.Application.Xml.toString()
+                                )
+                            }
+                            false -> null
+                        }
+                    }.onFailure {
+                        log.error(request.marker(), "Opprettelse av negativ apprec feilet", it)
+                    }.getOrThrow()
+                    PayloadResponse(
+                        processedPayload = errorPayload,
+                        error = Feil(ErrorCode.UNKNOWN, e.localizedMessage, "Error"),
+                        apprec = errorPayload != null
                     )
-                    val apprec = createNegativeApprec(msgHead, originalError as Exception)
-                    Payload(marshal(apprec).toByteArray(), ContentType.Application.Xml.toString())
                 }
-                false -> null
             }
-        }.onSuccess {
-            call.respond(
-                HttpStatusCode.BadRequest,
-                PayloadResponse(
-                    processedPayload = it,
-                    error = Feil(ErrorCode.UNKNOWN, originalError.localizedMessage, "Error"),
-                    apprec = it != null
-                )
-            )
-        }.onFailure {
-            log.error(request.marker(), "Opprettelse av negativ apprec feilet", it)
-            call.respond(
-                HttpStatusCode.BadRequest,
+            Direction.OUT -> {
                 PayloadResponse(
-                    error = Feil(ErrorCode.UNKNOWN, it.localizedMessage, "Error")
+                    processedPayload = processor.processOutgoing(request)
                 )
-            )
+            }
         }
+    }.onSuccess {
+        log.info(request.marker(), "Payload prosessert OK <${request.payload.contentId}>")
+        call.respond(it)
+    }.onFailure { error ->
+        log.error(request.marker(), "Payload prosessert med feil: ${error.localizedMessage}", error)
+        call.respond(
+            HttpStatusCode.BadRequest,
+            PayloadResponse(
+                error = Feil(ErrorCode.UNKNOWN, error.localizedMessage, "Error")
+            )
+        )
     }
 }